UK GDPR for Noobs

WM Circle Logo

By: Mike Giambattista, CLMP |

Posted on July 20, 2017

Pre-marriage jitters.  A few short months ago UK businesses and organizations of all types polled confidently high when questioned about their readiness for the oncoming data regulation changes – maybe a little too high.  More recent polls suggest a more circumspect tone on the topic - possibly a function of improved clarity on the specific regulations.
By Mike Giambattista

Recently released data from the DMA is telling:
●      Only 55% of companies feel they are now ‘on course’ or ‘ahead’ of plans to meet the May 2018 deadline versus the 68% in February.
●      Marketers perception of their knowledge as ‘good’ rather than ‘basic’ has also slipped from 66% to 59%.
●      Marketers sense of being ‘extremely’ or ‘somewhat’ prepared has fallen from 71% to 61%.

What’s keeping GDPR designates awake at night?

As DotMailer puts it, “If you are the only person in your organization that is thinking about GDPR, you could be in big, big trouble. This is a major change … so not only do key people need to be made aware of the revisions your business will need to make, they also need to be made to care.”

Data Audit
Among other things, you need to fully document the where / when / how and why of your data collection, storage and transfer policies.

Privacy Notices
Regulators have given marketers more detailed instructions as to what openness, honesty and transparency entails in practice. The Information Commissioner’s Office (ICO) has released a code of practice on privacy notices.

Subject Access Requests
Under GDPR you will no longer be able to charge for them and you will have to reply within 30 rather than 40 days.

Legal Basis
Under the GDPR, the legal basis for processing data is all-important because individuals’ rights can change depending on the legal basis you determine for processing the data.

GDPR defines how to get consent with the following stipulations:
●      Must be freely given – giving people genuine choice and control over how you use their data.
●      Specific – clearly explain exactly what people are consenting to in a way they can easily understand.
●      Informed – clearly identify yourself as the data controller, describe the reason behind each data processing operation, and notify people of their right to withdraw consent at any time.
●      Unambiguous – it must be clear that the person has consented and what they have consented to with an affirmative action.

For the first time, the GDPR specifically calls out the rights of children and offers special protection for their personal data in the digital world.

Data Breaches
The GDPR makes it the responsibility of all organizations to issue notifications for certain types of data breaches. If this risk is high you may also have to notify the individual directly.

Mike Giambattista is Managing Editor at The Wise Marketer